Hi @ all,
currently I'm trying to set up a server (OpenBSD) that will act as a VPN for road warriors and all users with access will be on the same subnet.

The final though is to use it like:

{road warrior} ---> {OpenBSD vpn} ---> {internet}

Me and a friend decided to use IPSEC for this but we're having some difficulties (using OpenBSD both on server and client).

So far, the keys are in the right place, negotiation between machines seems ok, we can see flows using `ipsecctl -s all` but the problem is that we cannot understand how to route the traffic. We tried with gif(4) but that did not work.

edit: I searched as much as I could in here and mailing lists, but I could not find anything helpful...

I know we are missing many things. Can someone provide info/help in this?

As you described your goal, it appeared to me that you wished to have someone at any external IP address establish a tunnel to a local address, then use that local address as an initiation for further communication outbound. That's not the picture you drew, nor does it match the configuration files and output that you shared with us.

Did I understand what you wanted to accomplish? If so, IPSec alone won't provide that. You will need to establish tunnels within an IPSec flow, and gif(4) would be one likely candidate. The gif(4) man page has an example of this using bridge(4) and the etherip protocol.

The reason you need additional tunnels is because IPSec uses flows to determine whether to apply IPSec to a packet, and Security Associations (SAs) to determine the various IPSec options to apply to a packet within a flow. By itself, it doesn't provide for the "local virtual IP address for a road warrior" that you apparently need.